diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json index bfb43777..7ed5b6e9 100644 --- a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json +++ b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json @@ -32,7 +32,7 @@ "kind": "shared", "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Copilot for Security Audit Workbook](https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot)\\n---\\n\\nMicrosoft Copilot for Security is a generative AI-powered security solution designed to enhance the efficiency and capabilities of security professionals1. It supports end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management2. By integrating with products like Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Intune, as well as third-party services like ServiceNow, Copilot for Security leverages security-specific plugins, organizational data, authoritative sources, and global threat intelligence3. This enables security professionals to gain wider visibility into threats, prioritize response efforts, and streamline decision-making4. Copilot for Security provides actionable guidance for incident response, translating complex security alerts into concise summaries and offering step-by-step directions for triage, investigation, containment, and remediation.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"f16d570f-12c1-48f2-94fa-7e114263a291\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Copilot for Security Audit\",\"subTarget\":\"audit\",\"preText\":\"Copilot for Security Audit Data\",\"style\":\"link\"},{\"id\":\"ab2c8e5c-1a0f-4041-ab18-c9b387ecf33b\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Copilot for Security Sign in Data\",\"subTarget\":\"Signin\",\"style\":\"link\"},{\"id\":\"03e3f1de-2a0f-4f14-ad2f-cba53365c4b3\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Copilot for Security SCU Events\",\"subTarget\":\"SCU\",\"style\":\"link\"}]},\"name\":\"links - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e3388fc6-e10b-4a86-bdc1-22677adcb351\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":2419200000}},{\"id\":\"4f442515-aa9d-41ff-9891-acdb998b1a4d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultWorkspace\",\"type\":5,\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[\"value::1\"]},\"value\":\"/subscriptions/ab48f397-fc82-4634-aa52-62dd91b3ebaa/resourcegroups/woodgrove-rg/providers/microsoft.operationalinsights/workspaces/woodgrove-loganalyiticsworkspace\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nIdentityLogonEvents\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Medeina Portal\\\"\\r\\n| extend IPaddresses=tostring(IPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by IPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Succesfull SIgn ins By Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nBehaviorAnalytics\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| extend IPaddresses=tostring(SourceIPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by SourceIPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Failed SIgn ins by Location \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityLogonEvents\\r\\n| where TimeGenerated >= ago(24h)\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Medeina Portal\\\"\\r\\n| extend User = AdditionalFields.[\\\"ACTOR.ALIAS\\\"]\\r\\n| project AccountDomain, User, ActionType, AccountUpn, IPAddress, Location, ISP, OSPlatform, DeviceType\",\"size\":0,\"title\":\"Successfull Sign ins for Copilot for Security\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"]},\"customWidth\":\"100\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Failed signins to the CfS service exposing user, reason, and other necessary information.\\r\\n\\r\\nBehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation\",\"size\":0,\"title\":\"Failed Sign ins for Copilot for Security\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActionType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"User did not pass the MFA challenge\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"\\t Other\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Invalid username or password \",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Flow token expired - Authentication Failed\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Device Authentication Required\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"100\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| summarize Failedlogin = count() by ActionType\\r\\n\",\"size\":0,\"title\":\"Failed Sign ins By Reason\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"Signin\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"061dd12a-4223-4b86-8d66-51dd276c35ae\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"31831857-13e1-4061-b44e-c9b9acf2bd30\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultWorkspace\",\"type\":5,\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[\"value::1\"]},\"value\":\"/subscriptions/ab48f397-fc82-4634-aa52-62dd91b3ebaa/resourcegroups/woodgrove-rg/providers/microsoft.operationalinsights/workspaces/woodgrove-loganalyiticsworkspace\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL \\r\\n| where Workload_s == \\\"CopilotForSecurity\\\"\\r\\n| where UserId_s !=\\\"\\\"\\r\\n| where UserId_s !=\\\"Security Copilot\\\"\\r\\n| distinct UserId_s\\r\\n| count \",\"size\":4,\"title\":\"Total number of users for Copilot for Security\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL\\r\\n| where Workload_s ==\\\"CopilotForSecurity\\\"\\r\\n| where Operation_s != \\\"CopilotInteraction\\\"\\r\\n| count \",\"size\":4,\"title\":\"Total No: Copilot for Security - Interactions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL\\r\\n| where Workload_s ==\\\"CopilotForSecurity\\\"\\r\\n| where Operation_s contains \\\"file\\\"\\r\\n| count\",\"size\":4,\"title\":\"File Uploads\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL\\r\\n| where Workload_s ==\\\"CopilotForSecurity\\\"\\r\\n| where Operation_s contains \\\"Disable\\\"\\r\\n| count\",\"size\":4,\"title\":\"Disabled Copilot for Security Plugins\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where DisplayName == \\\"TI map IP entity to Copilot For Security Audit Prompts\\\" \\r\\n| where DisplayName == \\\"CFS-Anomalous sign-in activity by Copilot for Security user\\\"\\r\\n| where DisplayName == \\\"CFS-Anomalous Operations by Copilot for Security User\\\"\\r\\n| count \",\"size\":4,\"title\":\"Copilot For Security Detections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL\\r\\n| where Workload_s ==\\\"CopilotForSecurity\\\"\\r\\n| where Operation_s contains \\\"UpdateCopilotSettings\\\"\\r\\n| count\",\"size\":4,\"title\":\"Changed Copilot for Security Settings\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL \\r\\n| where Workload_s == \\\"CopilotForSecurity\\\"\\r\\n| where UserId_s !=\\\"Security Copilot\\\"\\r\\n| where UserId_s !~ \\\"Copilot for Security\\\"\\r\\n| where RecordType_d == 261\\r\\n| summarize count() by bin(TimeGenerated, 1day) \",\"size\":0,\"title\":\"Prompts over time \",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"UserKey_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"promptCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Prompts over time \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL\\r\\n| where Workload_s ==\\\"CopilotForSecurity\\\"\\r\\n| where Operation_s != \\\"CopilotInteraction\\\"\\r\\n| summarize interactioncount = count() by Operation_s\",\"size\":0,\"title\":\"Copilot for Security Interaction count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\nCFS_Audit_CL\\n| where Workload_s == \\\"CopilotForSecurity\\\"\\n| extend IPaddresses=tostring(ClientIP_s)\\n| where isnotempty(IPaddresses) \\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\n| summarize interactioncount = count() by ClientIP_s, country_name\\n\",\"size\":0,\"title\":\"Copilot for Security Interactions by Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"latitude\":\"_TableName\",\"longitude\":\"_TableName\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"maxSize\":100,\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"SignInCount\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL \\r\\n| where Workload_s == \\\"CopilotForSecurity\\\"\\r\\n| where UserId_s !=\\\"Security Copilot\\\"\\r\\n| where UserId_s !~ \\\"Copilot for Security\\\"\\r\\n| where isnotempty( ClientIP_s)\\r\\n| where RecordType_d == 261\\r\\n| summarize count() by UserKey_s\\r\\n| sort by count_\\r\\n| take 10\",\"size\":0,\"title\":\"Top Users Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"visualization\":\"table\",\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL\\r\\n| where Workload_s == \\\"CopilotForSecurity\\\"\\r\\n| where RecordType_d in (\\\"320\\\", \\\"321\\\", \\\"322\\\")\\r\\n| project TimeGenerated, Operation = Operation_s, sessionoid = CopilotEventData_CorrelationId_g, EvaluationId = tostring(parse_json(CopilotEventData_Messages_s)[0].Id), ISPrompt = tostring(parse_json(CopilotEventData_Messages_s)[0].isPrompt), UserId = UserId_s, RecordType = RecordType_d, ClientIP = ClientIP_s, CopilotSettingsEventData_Resource = CopilotSettingsEventData_Resource_s, UserKey_s,CopilotEventData_Messages_s\\r\\n| sort by TimeGenerated\\r\\n| project TimeGenerated, Operation , UserId, ClientIP, CopilotSettingsEventData_Resource\\r\\n| take 50\",\"size\":0,\"title\":\"Copilot for Security - Promptbook Interactions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"75\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL \\r\\n| where Workload_s == \\\"CopilotForSecurity\\\"\\r\\n| where UserId_s !=\\\"Security Copilot\\\"\\r\\n| where UserId_s !~ \\\"Copilot for Security\\\"\\r\\n| where RecordType_d == 313\\r\\n| where parse_json(CopilotSettingsEventData_Resource_s)[0].Property <> \\\"FileUploads\\\"\\r\\n| where parse_json(CopilotSettingsEventData_Resource_s)[0].NewValue == \\\"Enabled\\\"\\r\\n| extend PluginsName = parse_json(CopilotSettingsEventData_Resource_s)[0].Property\\r\\n| mv-expand PluginsName\\r\\n| project TimeGenerated, UserKey_s, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Enable Plugin Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL \\r\\n| where Workload_s == \\\"CopilotForSecurity\\\"\\r\\n| where UserId_s !=\\\"Security Copilot\\\"\\r\\n| where UserId_s !~ \\\"Copilot for Security\\\"\\r\\n| where RecordType_d == 314\\r\\n| where parse_json(CopilotSettingsEventData_Resource_s)[0].Property <> \\\"FileUploads\\\"\\r\\n| where parse_json(CopilotSettingsEventData_Resource_s)[0].NewValue == \\\"Disabled\\\"\\r\\n| extend PluginsName = parse_json(CopilotSettingsEventData_Resource_s)[0].Property\\r\\n| mv-expand PluginsName\\r\\n| project TimeGenerated, UserKey_s, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Disable Plugin\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CFS_Audit_CL \\r\\n| where Operation_s == \\\"UpdateCopilotSettings\\\"\\r\\n//| distinct CopilotSettingsEventData_Resource_s\\r\\n| extend Property = tostring(parse_json(CopilotSettingsEventData_Resource_s)[0].Property)\\r\\n| extend NewValue = tostring(parse_json(CopilotSettingsEventData_Resource_s)[0].NewValue)\\r\\n| extend Property1 = substring(Property, 9) \\r\\n| extend Enable = NewValue\\r\\n//| where Property1 contains \\\"tenant\\\"\\r\\n| extend SettingLevel = iff(Property1 contains \\\"tenant\\\", \\\"TenantLevel\\\", \\\"Userlevel\\\")\\r\\n| project TimeGenerated, UserId_s, Property1 ,SettingLevel\\r\\n| sort by SettingLevel asc \",\"size\":0,\"title\":\"Change Setting Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{DefaultWorkspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SettingLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"TenantLevel\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]}},\"name\":\"query - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"audit\"},\"name\":\"group - 12\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| sort by timestamp\\r\\n| take 1\\r\\n| project toint(newValue)\",\"size\":4,\"title\":\"Number Of SCU's\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"newValue\",\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"30\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| where timestamp > ago(60d)\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| project timestamp, previousValue, newValue , changedBy\",\"size\":1,\"title\":\"SCU Chnages\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"70\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where ResourceProviderValue contains \\\"copilot\\\"\",\"size\":0,\"title\":\"SCU capacity Activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"SCU\"},\"name\":\"group - 4\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"/subscriptions/ab48f397-fc82-4634-aa52-62dd91b3ebaa/resourcegroups/woodgrove-rg/providers/microsoft.operationalinsights/workspaces/woodgrove-loganalyiticsworkspace\"],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", + "serializedData": "{\r\n\"version\":\"Notebook/1.0\",\r\n\"items\":[\r\n{\r\n\"type\":1,\r\n\"content\":{\r\n\"json\":\"#[CopilotforSecurityAuditWorkbook](https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot)\\n---\\n\\nMicrosoftCopilotforSecurityisagenerativeAI-poweredsecuritysolutiondesignedtoenhancetheefficiencyandcapabilitiesofsecurityprofessionals1.Itsupportsend-to-endscenariossuchasincidentresponse,threathunting,intelligencegathering,andposturemanagement2.ByintegratingwithproductslikeMicrosoftDefenderXDR,MicrosoftSentinel,andMicrosoftIntune,aswellasthird-partyserviceslikeServiceNow,CopilotforSecurityleveragessecurity-specificplugins,organizationaldata,authoritativesources,andglobalthreatintelligence3.Thisenablessecurityprofessionalstogainwidervisibilityintothreats,prioritizeresponseefforts,andstreamlinedecision-making4.CopilotforSecurityprovidesactionableguidanceforincidentresponse,translatingcomplexsecurityalertsintoconcisesummariesandofferingstep-by-stepdirectionsfortriage,investigation,containment,andremediation.\"\r\n},\r\n\"name\":\"text-2\"\r\n},\r\n{\r\n\"type\":11,\r\n\"content\":{\r\n\"version\":\"LinkItem/1.0\",\r\n\"style\":\"tabs\",\r\n\"links\":[\r\n{\r\n\"id\":\"f16d570f-12c1-48f2-94fa-7e114263a291\",\r\n\"cellValue\":\"Nav\",\r\n\"linkTarget\":\"parameter\",\r\n\"linkLabel\":\"CopilotforSecurityAudit\",\r\n\"subTarget\":\"audit\",\r\n\"preText\":\"CopilotforSecurityAuditData\",\r\n\"style\":\"link\"\r\n},\r\n{\r\n\"id\":\"ab2c8e5c-1a0f-4041-ab18-c9b387ecf33b\",\r\n\"cellValue\":\"Nav\",\r\n\"linkTarget\":\"parameter\",\r\n\"linkLabel\":\"CopilotforSecuritySigninData\",\r\n\"subTarget\":\"Signin\",\r\n\"style\":\"link\"\r\n},\r\n{\r\n\"id\":\"03e3f1de-2a0f-4f14-ad2f-cba53365c4b3\",\r\n\"cellValue\":\"Nav\",\r\n\"linkTarget\":\"parameter\",\r\n\"linkLabel\":\"CopilotforSecuritySCUEvents\",\r\n\"subTarget\":\"SCU\",\r\n\"style\":\"link\"\r\n}\r\n]\r\n},\r\n\"name\":\"links-2\",\r\n\"styleSettings\":{\r\n\"padding\":\"0\",\r\n\"showBorder\":true\r\n}\r\n},\r\n{\r\n\"type\":12,\r\n\"content\":{\r\n\"version\":\"NotebookGroup/1.0\",\r\n\"groupType\":\"editable\",\r\n\"items\":[\r\n{\r\n\"type\":9,\r\n\"content\":{\r\n\"version\":\"KqlParameterItem/1.0\",\r\n\"parameters\":[\r\n{\r\n\"id\":\"e3388fc6-e10b-4a86-bdc1-22677adcb351\",\r\n\"version\":\"KqlParameterItem/1.0\",\r\n\"name\":\"TimeRange\",\r\n\"type\":4,\r\n\"typeSettings\":{\r\n\"selectableValues\":[\r\n{\r\n\"durationMs\":300000\r\n},\r\n{\r\n\"durationMs\":900000\r\n},\r\n{\r\n\"durationMs\":1800000\r\n},\r\n{\r\n\"durationMs\":3600000\r\n},\r\n{\r\n\"durationMs\":14400000\r\n},\r\n{\r\n\"durationMs\":43200000\r\n},\r\n{\r\n\"durationMs\":86400000\r\n},\r\n{\r\n\"durationMs\":172800000\r\n},\r\n{\r\n\"durationMs\":259200000\r\n},\r\n{\r\n\"durationMs\":604800000\r\n},\r\n{\r\n\"durationMs\":1209600000\r\n},\r\n{\r\n\"durationMs\":2419200000\r\n},\r\n{\r\n\"durationMs\":2592000000\r\n},\r\n{\r\n\"durationMs\":5184000000\r\n},\r\n{\r\n\"durationMs\":7776000000\r\n}\r\n]\r\n},\r\n\"timeContext\":{\r\n\"durationMs\":86400000\r\n},\r\n\"value\":{\r\n\"durationMs\":2419200000\r\n}\r\n},\r\n{\r\n\"id\":\"4f442515-aa9d-41ff-9891-acdb998b1a4d\",\r\n\"version\":\"KqlParameterItem/1.0\",\r\n\"name\":\"DefaultWorkspace\",\r\n\"type\":5,\r\n\"typeSettings\":{\r\n\"resourceTypeFilter\":{\r\n\"microsoft.operationalinsights/workspaces\":true\r\n},\r\n\"additionalResourceOptions\":[\r\n\"value::1\"\r\n]\r\n},\r\n\"value\":\"\"\r\n}\r\n],\r\n\"style\":\"pills\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\"\r\n},\r\n\"name\":\"parameters-11-Copy\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"letIP_Data=\\r\\nexternal_data(network:string,geoname_id:long,continent_code:string,continent_name:string,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n[@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\nwith(ignoreFirstRecord=true,format=\\\"csv\\\");\\r\\nIdentityLogonEvents\\r\\n|whereAdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"]==\\\"MedeinaPortal\\\"\\r\\n|extendIPaddresses=tostring(IPAddress)\\r\\n|whereisnotempty(IPaddresses)\\r\\n|evaluateipv4_lookup(IP_Data,IPaddresses,network)\\r\\n|summarizeinteractioncount=count()byIPAddress,country_name\\r\\n\",\r\n\"size\":2,\r\n\"title\":\"SuccesfullSIgninsByLocation\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"map\",\r\n\"mapSettings\":{\r\n\"locInfo\":\"CountryRegion\",\r\n\"locInfoColumn\":\"country_name\",\r\n\"sizeSettings\":\"interactioncount\",\r\n\"sizeAggregation\":\"Sum\",\r\n\"legendMetric\":\"interactioncount\",\r\n\"legendAggregation\":\"Sum\",\r\n\"itemColorSettings\":{\r\n\"nodeColorField\":\"interactioncount\",\r\n\"colorAggregation\":\"Sum\",\r\n\"type\":\"heatmap\",\r\n\"heatmapPalette\":\"greenRed\"\r\n}\r\n}\r\n},\r\n\"customWidth\":\"50\",\r\n\"name\":\"query-3\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"letIP_Data=\\r\\nexternal_data(network:string,geoname_id:long,continent_code:string,continent_name:string,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n[@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\nwith(ignoreFirstRecord=true,format=\\\"csv\\\");\\r\\nBehaviorAnalytics\\r\\n|whereActivityInsights.App==\\\"MedeinaPortal\\\"\\r\\n|whereActivityInsights.Resource==\\\"MedeinaService\\\"\\r\\n|whereActivityType==\\\"FailedLogOn\\\"\\r\\n|extendIPaddresses=tostring(SourceIPAddress)\\r\\n|whereisnotempty(IPaddresses)\\r\\n|evaluateipv4_lookup(IP_Data,IPaddresses,network)\\r\\n|summarizeinteractioncount=count()bySourceIPAddress,country_name\\r\\n\",\r\n\"size\":2,\r\n\"title\":\"FailedSIgninsbyLocation\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"map\",\r\n\"mapSettings\":{\r\n\"locInfo\":\"CountryRegion\",\r\n\"locInfoColumn\":\"country_name\",\r\n\"sizeSettings\":\"interactioncount\",\r\n\"sizeAggregation\":\"Sum\",\r\n\"legendMetric\":\"interactioncount\",\r\n\"legendAggregation\":\"Sum\",\r\n\"itemColorSettings\":{\r\n\"nodeColorField\":\"interactioncount\",\r\n\"colorAggregation\":\"Sum\",\r\n\"type\":\"heatmap\",\r\n\"heatmapPalette\":\"greenRed\"\r\n}\r\n}\r\n},\r\n\"customWidth\":\"50\",\r\n\"name\":\"query-5\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"IdentityLogonEvents\\r\\n|whereTimeGenerated>=ago(24h)\\r\\n|whereAdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"]==\\\"MedeinaPortal\\\"\\r\\n|extendUser=AdditionalFields.[\\\"ACTOR.ALIAS\\\"]\\r\\n|projectAccountDomain,User,ActionType,AccountUpn,IPAddress,Location,ISP,OSPlatform,DeviceType\",\r\n\"size\":0,\r\n\"title\":\"SuccessfullSigninsforCopilotforSecurity\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n]\r\n},\r\n\"customWidth\":\"100\",\r\n\"name\":\"query-0\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"//FailedsigninstotheCfSserviceexposinguser,reason,andothernecessaryinformation.\\r\\n\\r\\nBehaviorAnalytics\\r\\n|whereTimeGenerated>=ago(7d)\\r\\n|whereActivityInsights.App==\\\"MedeinaPortal\\\"\\r\\n|whereActivityInsights.Resource==\\\"MedeinaService\\\"\\r\\n|whereActivityType==\\\"FailedLogOn\\\"\\r\\n|projectUserName,UserPrincipalName,ActionType,EventSource,SourceIPAddress,SourceIPLocation\",\r\n\"size\":0,\r\n\"title\":\"FailedSigninsforCopilotforSecurity\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"gridSettings\":{\r\n\"formatters\":[\r\n{\r\n\"columnMatch\":\"ActionType\",\r\n\"formatter\":18,\r\n\"formatOptions\":{\r\n\"thresholdsOptions\":\"colors\",\r\n\"thresholdsGrid\":[\r\n{\r\n\"operator\":\"contains\",\r\n\"thresholdValue\":\"UserdidnotpasstheMFAchallenge\",\r\n\"representation\":\"redBright\",\r\n\"text\":\"{0}{1}\"\r\n},\r\n{\r\n\"operator\":\"contains\",\r\n\"thresholdValue\":\"\\tOther\",\r\n\"representation\":\"gray\",\r\n\"text\":\"{0}{1}\"\r\n},\r\n{\r\n\"operator\":\"contains\",\r\n\"thresholdValue\":\"Invalidusernameorpassword\",\r\n\"representation\":\"orange\",\r\n\"text\":\"{0}{1}\"\r\n},\r\n{\r\n\"operator\":\"contains\",\r\n\"thresholdValue\":\"Flowtokenexpired-AuthenticationFailed\",\r\n\"representation\":\"blue\",\r\n\"text\":\"{0}{1}\"\r\n},\r\n{\r\n\"operator\":\"contains\",\r\n\"thresholdValue\":\"DeviceAuthenticationRequired\",\r\n\"representation\":\"yellow\",\r\n\"text\":\"{0}{1}\"\r\n},\r\n{\r\n\"operator\":\"Default\",\r\n\"thresholdValue\":null,\r\n\"representation\":\"gray\",\r\n\"text\":\"{0}{1}\"\r\n}\r\n]\r\n}\r\n}\r\n]\r\n}\r\n},\r\n\"customWidth\":\"100\",\r\n\"name\":\"query-2\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"BehaviorAnalytics\\r\\n|whereTimeGenerated>=ago(7d)\\r\\n|whereActivityInsights.App==\\\"MedeinaPortal\\\"\\r\\n|whereActivityInsights.Resource==\\\"MedeinaService\\\"\\r\\n|whereActivityType==\\\"FailedLogOn\\\"\\r\\n|summarizeFailedlogin=count()byActionType\\r\\n\",\r\n\"size\":0,\r\n\"title\":\"FailedSigninsByReason\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"piechart\"\r\n},\r\n\"customWidth\":\"30\",\r\n\"name\":\"query-4\"\r\n}\r\n]\r\n},\r\n\"conditionalVisibility\":{\r\n\"parameterName\":\"Nav\",\r\n\"comparison\":\"isEqualTo\",\r\n\"value\":\"Signin\"\r\n},\r\n\"name\":\"group-3\"\r\n},\r\n{\r\n\"type\":12,\r\n\"content\":{\r\n\"version\":\"NotebookGroup/1.0\",\r\n\"groupType\":\"editable\",\r\n\"items\":[\r\n{\r\n\"type\":9,\r\n\"content\":{\r\n\"version\":\"KqlParameterItem/1.0\",\r\n\"parameters\":[\r\n{\r\n\"id\":\"061dd12a-4223-4b86-8d66-51dd276c35ae\",\r\n\"version\":\"KqlParameterItem/1.0\",\r\n\"name\":\"TimeRange\",\r\n\"type\":4,\r\n\"typeSettings\":{\r\n\"selectableValues\":[\r\n{\r\n\"durationMs\":300000\r\n},\r\n{\r\n\"durationMs\":900000\r\n},\r\n{\r\n\"durationMs\":1800000\r\n},\r\n{\r\n\"durationMs\":3600000\r\n},\r\n{\r\n\"durationMs\":14400000\r\n},\r\n{\r\n\"durationMs\":43200000\r\n},\r\n{\r\n\"durationMs\":86400000\r\n},\r\n{\r\n\"durationMs\":172800000\r\n},\r\n{\r\n\"durationMs\":259200000\r\n},\r\n{\r\n\"durationMs\":604800000\r\n},\r\n{\r\n\"durationMs\":1209600000\r\n},\r\n{\r\n\"durationMs\":2419200000\r\n},\r\n{\r\n\"durationMs\":2592000000\r\n},\r\n{\r\n\"durationMs\":5184000000\r\n},\r\n{\r\n\"durationMs\":7776000000\r\n}\r\n]\r\n},\r\n\"timeContext\":{\r\n\"durationMs\":86400000\r\n},\r\n\"value\":{\r\n\"durationMs\":604800000\r\n}\r\n},\r\n{\r\n\"id\":\"31831857-13e1-4061-b44e-c9b9acf2bd30\",\r\n\"version\":\"KqlParameterItem/1.0\",\r\n\"name\":\"DefaultWorkspace\",\r\n\"type\":5,\r\n\"typeSettings\":{\r\n\"resourceTypeFilter\":{\r\n\"microsoft.operationalinsights/workspaces\":true\r\n},\r\n\"additionalResourceOptions\":[\r\n\"value::1\"\r\n]\r\n},\r\n\"value\":\"\"\r\n}\r\n],\r\n\"style\":\"pills\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\"\r\n},\r\n\"name\":\"parameters-11\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereUserId_s!=\\\"\\\"\\r\\n|whereUserId_s!=\\\"SecurityCopilot\\\"\\r\\n|distinctUserId_s\\r\\n|count\",\r\n\"size\":4,\r\n\"title\":\"TotalnumberofusersforCopilotforSecurity\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"tiles\",\r\n\"tileSettings\":{\r\n\"titleContent\":{\r\n\"columnMatch\":\"Count\",\r\n\"formatter\":8,\r\n\"formatOptions\":{\r\n\"palette\":\"orangeDark\"\r\n},\r\n\"numberFormat\":{\r\n\"unit\":0,\r\n\"options\":{\r\n\"style\":\"decimal\"\r\n}\r\n}\r\n},\r\n\"showBorder\":true\r\n}\r\n},\r\n\"customWidth\":\"16\",\r\n\"name\":\"query-3\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereOperation_s!=\\\"CopilotInteraction\\\"\\r\\n|count\",\r\n\"size\":4,\r\n\"title\":\"TotalNo:CopilotforSecurity-Interactions\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"tiles\",\r\n\"tileSettings\":{\r\n\"titleContent\":{\r\n\"columnMatch\":\"Count\",\r\n\"formatter\":8,\r\n\"formatOptions\":{\r\n\"palette\":\"orangeDark\"\r\n},\r\n\"numberFormat\":{\r\n\"unit\":0,\r\n\"options\":{\r\n\"style\":\"decimal\"\r\n}\r\n}\r\n},\r\n\"showBorder\":true\r\n}\r\n},\r\n\"customWidth\":\"16\",\r\n\"name\":\"query-3-Copy\",\r\n\"styleSettings\":{\r\n\"maxWidth\":\"20\"\r\n}\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereOperation_scontains\\\"file\\\"\\r\\n|count\",\r\n\"size\":4,\r\n\"title\":\"FileUploads\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"tiles\",\r\n\"tileSettings\":{\r\n\"titleContent\":{\r\n\"columnMatch\":\"Count\",\r\n\"formatter\":8,\r\n\"formatOptions\":{\r\n\"palette\":\"orangeDark\"\r\n},\r\n\"numberFormat\":{\r\n\"unit\":0,\r\n\"options\":{\r\n\"style\":\"decimal\"\r\n}\r\n}\r\n},\r\n\"showBorder\":true\r\n}\r\n},\r\n\"customWidth\":\"17\",\r\n\"name\":\"query-3-Copy-Copy\",\r\n\"styleSettings\":{\r\n\"maxWidth\":\"20\"\r\n}\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereOperation_scontains\\\"Disable\\\"\\r\\n|count\",\r\n\"size\":4,\r\n\"title\":\"DisabledCopilotforSecurityPlugins\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"tiles\",\r\n\"tileSettings\":{\r\n\"titleContent\":{\r\n\"columnMatch\":\"Count\",\r\n\"formatter\":8,\r\n\"formatOptions\":{\r\n\"palette\":\"orangeDark\"\r\n},\r\n\"numberFormat\":{\r\n\"unit\":0,\r\n\"options\":{\r\n\"style\":\"decimal\"\r\n}\r\n}\r\n},\r\n\"showBorder\":true\r\n}\r\n},\r\n\"customWidth\":\"17\",\r\n\"name\":\"query-3-Copy-Copy-Copy\",\r\n\"styleSettings\":{\r\n\"maxWidth\":\"20\"\r\n}\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"SecurityAlert\\r\\n|whereDisplayName==\\\"TImapIPentitytoCopilotForSecurityAuditPrompts\\\"\\r\\n|whereDisplayName==\\\"CFS-Anomaloussign-inactivitybyCopilotforSecurityuser\\\"\\r\\n|whereDisplayName==\\\"CFS-AnomalousOperationsbyCopilotforSecurityUser\\\"\\r\\n|count\",\r\n\"size\":4,\r\n\"title\":\"CopilotForSecurityDetections\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"tiles\",\r\n\"tileSettings\":{\r\n\"titleContent\":{\r\n\"columnMatch\":\"Count\",\r\n\"formatter\":8,\r\n\"formatOptions\":{\r\n\"palette\":\"orangeDark\"\r\n},\r\n\"numberFormat\":{\r\n\"unit\":0,\r\n\"options\":{\r\n\"style\":\"decimal\"\r\n}\r\n}\r\n},\r\n\"showBorder\":true\r\n}\r\n},\r\n\"customWidth\":\"17\",\r\n\"name\":\"query-3-Copy-Copy-Copy-Copy-Copy\",\r\n\"styleSettings\":{\r\n\"maxWidth\":\"20\"\r\n}\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereOperation_scontains\\\"UpdateCopilotSettings\\\"\\r\\n|count\",\r\n\"size\":4,\r\n\"title\":\"ChangedCopilotforSecuritySettings\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"tiles\",\r\n\"tileSettings\":{\r\n\"titleContent\":{\r\n\"columnMatch\":\"Count\",\r\n\"formatter\":8,\r\n\"formatOptions\":{\r\n\"palette\":\"orangeDark\"\r\n},\r\n\"numberFormat\":{\r\n\"unit\":0,\r\n\"options\":{\r\n\"style\":\"decimal\"\r\n}\r\n}\r\n},\r\n\"showBorder\":true\r\n}\r\n},\r\n\"customWidth\":\"17\",\r\n\"name\":\"query-3-Copy-Copy-Copy-Copy\",\r\n\"styleSettings\":{\r\n\"maxWidth\":\"20\"\r\n}\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereUserId_s!=\\\"SecurityCopilot\\\"\\r\\n|whereUserId_s!~\\\"CopilotforSecurity\\\"\\r\\n|whereRecordType_d==261\\r\\n|summarizecount()bybin(TimeGenerated,1day)\",\r\n\"size\":0,\r\n\"title\":\"Promptsovertime\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"timeBrushParameterName\":\"TimeBrush\",\r\n\"exportFieldName\":\"CreatedTime\",\r\n\"exportParameterName\":\"TimePicker\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"barchart\",\r\n\"graphSettings\":{\r\n\"type\":0,\r\n\"topContent\":{\r\n\"columnMatch\":\"UserKey_s\",\r\n\"formatter\":1\r\n},\r\n\"centerContent\":{\r\n\"columnMatch\":\"promptCount\",\r\n\"formatter\":1,\r\n\"numberFormat\":{\r\n\"unit\":17,\r\n\"options\":{\r\n\"maximumSignificantDigits\":3,\r\n\"maximumFractionDigits\":2\r\n}\r\n}\r\n}\r\n}\r\n},\r\n\"name\":\"Promptsovertime\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereOperation_s!=\\\"CopilotInteraction\\\"\\r\\n|summarizeinteractioncount=count()byOperation_s\",\r\n\"size\":0,\r\n\"title\":\"CopilotforSecurityInteractioncount\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"piechart\"\r\n},\r\n\"customWidth\":\"25\",\r\n\"name\":\"query-4\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"letIP_Data=\\nexternal_data(network:string,geoname_id:long,continent_code:string,continent_name:string,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\n[@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\nwith(ignoreFirstRecord=true,format=\\\"csv\\\");\\nCFS_Audit_CL\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\n|extendIPaddresses=tostring(ClientIP_s)\\n|whereisnotempty(IPaddresses)\\n|evaluateipv4_lookup(IP_Data,IPaddresses,network)\\n|summarizeinteractioncount=count()byClientIP_s,country_name\\n\",\r\n\"size\":0,\r\n\"title\":\"CopilotforSecurityInteractionsbyLocation\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"map\",\r\n\"mapSettings\":{\r\n\"locInfo\":\"CountryRegion\",\r\n\"locInfoColumn\":\"country_name\",\r\n\"latitude\":\"_TableName\",\r\n\"longitude\":\"_TableName\",\r\n\"sizeSettings\":\"interactioncount\",\r\n\"sizeAggregation\":\"Sum\",\r\n\"maxSize\":100,\r\n\"legendMetric\":\"interactioncount\",\r\n\"legendAggregation\":\"Count\",\r\n\"itemColorSettings\":{\r\n\"nodeColorField\":\"SignInCount\",\r\n\"colorAggregation\":\"Count\",\r\n\"type\":\"heatmap\",\r\n\"heatmapPalette\":\"greenRed\"\r\n}\r\n}\r\n},\r\n\"customWidth\":\"35\",\r\n\"name\":\"query-2\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereUserId_s!=\\\"SecurityCopilot\\\"\\r\\n|whereUserId_s!~\\\"CopilotforSecurity\\\"\\r\\n|whereisnotempty(ClientIP_s)\\r\\n|whereRecordType_d==261\\r\\n|summarizecount()byUserKey_s\\r\\n|sortbycount_\\r\\n|take10\",\r\n\"size\":0,\r\n\"title\":\"TopUsersPrompts\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"visualization\":\"table\",\r\n\"tileSettings\":{\r\n\"showBorder\":false\r\n}\r\n},\r\n\"customWidth\":\"25\",\r\n\"name\":\"query-2\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereRecordType_din(\\\"320\\\",\\\"321\\\",\\\"322\\\")\\r\\n|projectTimeGenerated,Operation=Operation_s,sessionoid=CopilotEventData_CorrelationId_g,EvaluationId=tostring(parse_json(CopilotEventData_Messages_s)[0].Id),ISPrompt=tostring(parse_json(CopilotEventData_Messages_s)[0].isPrompt),UserId=UserId_s,RecordType=RecordType_d,ClientIP=ClientIP_s,CopilotSettingsEventData_Resource=CopilotSettingsEventData_Resource_s,UserKey_s,CopilotEventData_Messages_s\\r\\n|sortbyTimeGenerated\\r\\n|projectTimeGenerated,Operation,UserId,ClientIP,CopilotSettingsEventData_Resource\\r\\n|take50\",\r\n\"size\":0,\r\n\"title\":\"CopilotforSecurity-PromptbookInteractions\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\"\r\n},\r\n\"customWidth\":\"75\",\r\n\"name\":\"query-9\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereUserId_s!=\\\"SecurityCopilot\\\"\\r\\n|whereUserId_s!~\\\"CopilotforSecurity\\\"\\r\\n|whereRecordType_d==313\\r\\n|whereparse_json(CopilotSettingsEventData_Resource_s)[0].Property<>\\\"FileUploads\\\"\\r\\n|whereparse_json(CopilotSettingsEventData_Resource_s)[0].NewValue==\\\"Enabled\\\"\\r\\n|extendPluginsName=parse_json(CopilotSettingsEventData_Resource_s)[0].Property\\r\\n|mv-expandPluginsName\\r\\n|projectTimeGenerated,UserKey_s,PluginsName\\r\\n|sortbyTimeGenerated\",\r\n\"size\":0,\r\n\"title\":\"EnablePluginOpertion\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n]\r\n},\r\n\"customWidth\":\"50\",\r\n\"name\":\"query-12\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereWorkload_s==\\\"CopilotForSecurity\\\"\\r\\n|whereUserId_s!=\\\"SecurityCopilot\\\"\\r\\n|whereUserId_s!~\\\"CopilotforSecurity\\\"\\r\\n|whereRecordType_d==314\\r\\n|whereparse_json(CopilotSettingsEventData_Resource_s)[0].Property<>\\\"FileUploads\\\"\\r\\n|whereparse_json(CopilotSettingsEventData_Resource_s)[0].NewValue==\\\"Disabled\\\"\\r\\n|extendPluginsName=parse_json(CopilotSettingsEventData_Resource_s)[0].Property\\r\\n|mv-expandPluginsName\\r\\n|projectTimeGenerated,UserKey_s,PluginsName\\r\\n|sortbyTimeGenerated\",\r\n\"size\":0,\r\n\"title\":\"DisablePlugin\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n]\r\n},\r\n\"customWidth\":\"50\",\r\n\"name\":\"query-13\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"CFS_Audit_CL\\r\\n|whereOperation_s==\\\"UpdateCopilotSettings\\\"\\r\\n//|distinctCopilotSettingsEventData_Resource_s\\r\\n|extendProperty=tostring(parse_json(CopilotSettingsEventData_Resource_s)[0].Property)\\r\\n|extendNewValue=tostring(parse_json(CopilotSettingsEventData_Resource_s)[0].NewValue)\\r\\n|extendProperty1=substring(Property,9)\\r\\n|extendEnable=NewValue\\r\\n//|whereProperty1contains\\\"tenant\\\"\\r\\n|extendSettingLevel=iff(Property1contains\\\"tenant\\\",\\\"TenantLevel\\\",\\\"Userlevel\\\")\\r\\n|projectTimeGenerated,UserId_s,Property1,SettingLevel\\r\\n|sortbySettingLevelasc\",\r\n\"size\":0,\r\n\"title\":\"ChangeSettingOpertion\",\r\n\"timeContextFromParameter\":\"TimeRange\",\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"crossComponentResources\":[\r\n\"{DefaultWorkspace}\"\r\n],\r\n\"gridSettings\":{\r\n\"formatters\":[\r\n{\r\n\"columnMatch\":\"SettingLevel\",\r\n\"formatter\":18,\r\n\"formatOptions\":{\r\n\"thresholdsOptions\":\"colors\",\r\n\"thresholdsGrid\":[\r\n{\r\n\"operator\":\"contains\",\r\n\"thresholdValue\":\"TenantLevel\",\r\n\"representation\":\"yellow\",\r\n\"text\":\"{0}{1}\"\r\n},\r\n{\r\n\"operator\":\"Default\",\r\n\"thresholdValue\":null,\r\n\"representation\":\"gray\",\r\n\"text\":\"{0}{1}\"\r\n}\r\n]\r\n}\r\n},\r\n{\r\n\"columnMatch\":\"Action\",\r\n\"formatter\":18,\r\n\"formatOptions\":{\r\n\"thresholdsOptions\":\"colors\",\r\n\"thresholdsGrid\":[\r\n{\r\n\"operator\":\"contains\",\r\n\"thresholdValue\":\"True\",\r\n\"representation\":\"green\",\r\n\"text\":\"{0}{1}\"\r\n},\r\n{\r\n\"operator\":\"contains\",\r\n\"thresholdValue\":\"False\",\r\n\"representation\":\"redBright\",\r\n\"text\":\"{0}{1}\"\r\n},\r\n{\r\n\"operator\":\"Default\",\r\n\"thresholdValue\":null,\r\n\"representation\":\"lightBlue\",\r\n\"text\":\"{0}{1}\"\r\n}\r\n]\r\n}\r\n}\r\n]\r\n}\r\n},\r\n\"name\":\"query-14\"\r\n}\r\n]\r\n},\r\n\"conditionalVisibility\":{\r\n\"parameterName\":\"Nav\",\r\n\"comparison\":\"isEqualTo\",\r\n\"value\":\"audit\"\r\n},\r\n\"name\":\"group-12\"\r\n},\r\n{\r\n\"type\":12,\r\n\"content\":{\r\n\"version\":\"NotebookGroup/1.0\",\r\n\"groupType\":\"editable\",\r\n\"items\":[\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n|extendtimestamp=todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n|extendchanges=properties[\\\"changes\\\"]\\r\\n|extendResourceId=tostring(properties[\\\"targetResourceId\\\"])\\r\\n|extendCorrelationId=tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"])\\r\\n|extendchangeType=tostring(properties.changeType)\\r\\n|wherechangeType==\\\"Update\\\"\\r\\n|wherechangescontains\\\"numberOfUnits\\\"\\r\\n|extendnewValue=tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n|extendpreviousValue=tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n|extendchangedBy=tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n|sortbytimestamp\\r\\n|take1\\r\\n|projecttoint(newValue)\",\r\n\"size\":4,\r\n\"title\":\"NumberOfSCU's\",\r\n\"timeContext\":{\r\n\"durationMs\":2592000000\r\n},\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"visualization\":\"tiles\",\r\n\"tileSettings\":{\r\n\"titleContent\":{\r\n\"columnMatch\":\"newValue\",\r\n\"numberFormat\":{\r\n\"unit\":17,\r\n\"options\":{\r\n\"style\":\"decimal\"\r\n}\r\n}\r\n},\r\n\"showBorder\":true\r\n}\r\n},\r\n\"customWidth\":\"30\",\r\n\"name\":\"query-0\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n|extendtimestamp=todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n|wheretimestamp>ago(60d)\\r\\n|extendchanges=properties[\\\"changes\\\"]\\r\\n|extendResourceId=tostring(properties[\\\"targetResourceId\\\"])\\r\\n|extendCorrelationId=tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"])\\r\\n|extendchangeType=tostring(properties.changeType)\\r\\n|wherechangeType==\\\"Update\\\"\\r\\n|wherechangescontains\\\"numberOfUnits\\\"\\r\\n|extendnewValue=tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n|extendpreviousValue=tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n|extendchangedBy=tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n|projecttimestamp,previousValue,newValue,changedBy\",\r\n\"size\":1,\r\n\"title\":\"SCUChnages\",\r\n\"timeContext\":{\r\n\"durationMs\":86400000\r\n},\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\",\r\n\"visualization\":\"table\",\r\n\"graphSettings\":{\r\n\"type\":0\r\n}\r\n},\r\n\"customWidth\":\"70\",\r\n\"name\":\"query-1\"\r\n},\r\n{\r\n\"type\":3,\r\n\"content\":{\r\n\"version\":\"KqlItem/1.0\",\r\n\"query\":\"AzureActivity\\r\\n|whereResourceProviderValuecontains\\\"copilot\\\"\",\r\n\"size\":0,\r\n\"title\":\"SCUcapacityActivities\",\r\n\"timeContext\":{\r\n\"durationMs\":86400000\r\n},\r\n\"queryType\":0,\r\n\"resourceType\":\"microsoft.operationalinsights/workspaces\"\r\n},\r\n\"name\":\"query-2\"\r\n}\r\n]\r\n},\r\n\"conditionalVisibility\":{\r\n\"parameterName\":\"Nav\",\r\n\"comparison\":\"isEqualTo\",\r\n\"value\":\"SCU\"\r\n},\r\n\"name\":\"group-4\"\r\n}\r\n],\r\n\"fallbackResourceIds\":[\r\n\"\"\r\n],\r\n\"fromTemplateId\":\"sentinel-UserWorkbook\",\r\n\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\r\n}", "version": "1.0", "sourceId": "[variables('WorkbookSourceId')]", "category": "sentinel"